The News: SUSE has earned the highest level accreditation for its flagship SLES Linux distribution. Announced this week, the Common Criteria EAL 4+ certification for the SUSE Linux Enterprise Server (SLES) 15 SP2 is now EAL 4+ level certified for IBM Z, Arm, and x86-64 architectures, signifying compliance with the most demanding security requirements for mission critical infrastructure. Read the full press release from SUSE here.
SUSE Earns Highest Level Accreditation for its SLES Linux Distribution, Doubles Down on Security
Analyst Take: The news that SUSE has earned the highest level accreditation for its SLES Linux distribution was welcome news. With the daily headlines filled with high profile hacking attacks, and the reality that ransomware is focused on critical infrastructure, security has never been more of a hot button issue. Against this backdrop, the announcement by SUSE concerning the security certification for the company’s SLES Linux distribution is incredibly timely.
What is Common Criteria?
Common Criteria (CC) is an international set of guidelines with 17 certificate authorizing member nations and 14 certificate consuming countries that provide specifications developed for evaluating information security products. These specifications are specifically designed to ensure they meet an agreed-upon security standard for government deployments. Given the provenance and widespread adoption of these specifications, many security focused organizations in Finance, Telco, Retail, and those focused on securing personally identifiable information (PII) use these specifications as a way to evaluate solutions
The Common Criteria specifications are broken into two areas: Protection Profiles and Evaluation Assurance Levels. A Protection Profile (PPro) defines a standard set of security requirements for a specific type of product. The Evaluation Assurance Level (EAL) specification defines the thoroughness of product testing.
Evaluation Assurance Levels range from 1-7, with seven being the highest-level of evaluation. Despite what you may think, a higher evaluation level does not mean the product has a higher level of security, only that the product went through more tests. The graphic below provides a quick overview of the EAL levels:
In order to submit a solution for evaluation, the submitting vendor must complete a Security Target (ST) description. This vendor submission includes an overview of the product and the product’s security features, along with the vendor’s self-assessment detailing how the product is designed to conform to the relevant Protection Profile at the EAL the vendor chooses to be tested against. Following the vendor submission, the next step is for the laboratory to test the product to verify the product’s security features. The results of a successful evaluation form the basis for an official certification of the product.
In a Strategic Move, SUSE Doubling Down on Security is Smart
This is without question an indicator that SUSE is doubling down on security — which is smart strategy. As more and more organizations deploy Linux into mission critical environments, and UNIX deployments correspondingly decrease, the need for highly secure operating systems is becoming more prevalent. Against this backdrop, it is somewhat surprising that SUSE is currently the only provider of a general purpose Linux operating system with a secure software supply chain that is certified Common Criteria EAL 4+ for the IBM Z, Arm and x86-64 architectures given how prevalent these platforms are in governments and financial services organizations. Given their market leadership, it will be interesting to see when Red Hat receives this same certification.
Commenting on the announcement, Thomas Di Giacomo, SUSE Chief Technology and Product Officer said, “In today’s age of advanced hacking and service disruption, Common Criteria EAL 4+ level certification for SLES provides confidence to critical service providers such as governments, finance and banking companies, healthcare organizations, water and power companies, telecommunications providers, and others innovating at the edge.”
SUSE Linux Enterprise Server 15 SP2 was also certified by BSI, Germany’s Federal Office for Information Security, full details of that certification can be found here.
The Significance of SUSE’s EAL Certification
As vendors look to increase the security posture of their offerings and solutions, I expect to see a stronger focus on industry standards and specifications such as EAL as these independent specifications allow customers to make purchasing decisions based on independent verification. While the Common Criteria evaluation criteria are not a hard and fast insurance policy, they do form a basis for vendor evaluations and would form the basis for a series of questions in any Request For Information or Request For Proposal.
As deployment models become more fragmented — with solutions spanning IoT, edge, on-premises datacenter and increasingly hybrid and public cloud models — customers need a way to evaluate solutions and make informed decisions. Approaches such as Common Criteria and EAL address this requirement and will therefore become a key part of how vendors start to describe their offerings to potential customers.
SUSE taking a leadership position in certifying the ARM, IBM Z & LinuxONE and Intel x86-64 platforms is good for the Linux market as a whole, as it will force vendors such as Red Hat with RHEL and Canonical with Ubuntu to follow suit. I would expect these vendors to not be far behind in getting their Linux distributions certified. However, if Red Hat and Canonical do delay in getting their distributions certified, I would expect to see SUSE leverage their first mover advantage to drive further adoption in customer segments that will be focused on EAL ratings.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.